eBook - ePub
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
IT Governance Privacy Team
This is a test
Condividi libro
- 386 pagine
- English
- ePUB (disponibile sull'app)
- Disponibile solo in versione web
eBook - ePub
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
IT Governance Privacy Team
Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni
Informazioni sul libro
Understand your GDPR obligations and prioritis e the steps you need to take to comply
The GDPR gives individuals significant rights over how their personal information is collected and processed, and places a range of obligations on organisations to be more accountable for data protection.
The Regulation applies to all data controllers and processors that handle EU residents' personal information. It supersedes the 1995 EU Data Protection Directive and all EU member states' national laws that are based on it – including the UK's DPA (Data Protection Act) 1998.
Failure to comply with the Regulation could result in fines of up to €20 million or 4% of annual global turnover – whichever is greater. This guide is a perfect companion for anyone managing a GDPR compliance project. It provides a detailed commentary on the Regulation, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties.
Clear and comprehensive guidance to simplify your GDPR compliance project
Now in its fourth edition, EU General Data Protection Regulation (GDPR) – An implementation and compliance guide provides clear and comprehensive guidance on the GDPR. It explains the Regulation and sets out the obligations of data processors and controllers in terms you can understand.
Topics covered include:
- The DPO (data protection officer) role, including whether you need one and what they should do;
- Risk management and DPIAs (data protection impact assessments), including how, when and why to conduct one;
- Data subjects' rights, including consent and the withdrawal of consent, DSARs (data subject access requests) and how to handle them, and data controllers and processors' obligations;
- Managing personal data internationally, including updated guidance following the Schrems II ruling;
- How to adjust your data protection processes to comply with the GDPR, and the best way of demonstrating that compliance; and
- A full index of the Regulation to help you find the articles and stipulations relevant to your organisation.
About the authors
The IT Governance Privacy Team, led by Alan Calder, has substantial experience in privacy, data protection, compliance and information security. This practical experience, their understanding of the background and drivers for the GDPR, and the input of expert consultants and trainers are combined in this must-have guide to GDPR compliance.
Start your compliance journey now and buy this book today.
Domande frequenti
Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition è disponibile online in formato PDF/ePub?
Sì, puoi accedere a EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition di IT Governance Privacy Team in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Droit e Droit de la science et de la technologie. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.
Informazioni
Argomento
DroitCHAPTER 1: SCOPE, CONTROLLERS AND PROCESSORS
The GDPR applies widely, but it is not universal. Equally, not all personal data processing falls under its purview. Many organisations will exist in ‘grey’ areas where certain processing may not be governed by the GDPR while others are, or could believe themselves exempt when they are not.
Scope of the GDPR
The GDPR applies a material scope and a territorial scope. These are the uses of personal data and the geographic regions that are governed by the Regulation.
In its broadest sense, the GDPR applies to:
the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which forms part of a filing system or are intended to form part of a filing system.9
A ‘filing system’ refers to personal data that is organised, presumably for ease of access and use, and could include anything from an alphabetised set of papers in a cabinet through to an enormous, searchable database. A number of papers in a box in a back room is unlikely to qualify, although emails in an inbox will.
There are, of course, exemptions to the material scope – for activities outside the scope of EU law, such as for national security of a non-EU state; processing by Member States pursuing activities related to the common foreign and security policy of the EU; for processing purely of a personal or household nature; and for competent authorities in Member States related to crime and security (such as police activities).
So, this is already very broad, and any organisation that makes much use of personal data at all is likely to be required to the comply with the Regulation.
The territorial scope is equally broad, and brings with it a number of additional concerns for organisations outside the EU and for those within the EU that do business with organisations outside. The Regulation applies under three territorial conditions10:
1.Organisations within the EU that process personal data, even if the actual processing activity is conducted outside the EU.
2.Organisations outside the EU that process the personal data of EU residents as part of offering good or services into the EU, or monitoring the behaviour of EU residents.
3.Organisations outside the EU that are otherwise governed by EU law on the basis of public international law.
The second of these is clearly problematic. In simple terms, it will apply to an organisation that provides processing services to an organisation within the EU, and it will apply to an organisation that clearly offers goods and/or services into the EU. For instance, if you sell products and your website lists prices in euros, then you are clearly selling into the EU and will need to abide by the GDPR. If you are a hotel in Australia, however, and do not market your hotel in the EU, then the personal data of any EU residents who might stay with you is exempt from the law.
The scope of the GDPR is obviously a complex topic and informs how you need to structure your compliance activities, especially where you might have a long or complicated supply chain. The scope is discussed in more detail in chapter 4 of this manual.
Controller and processor
The roles of data controller and data processor are central to the GDPR and it is crucial that you understand these roles. The basic definitions have already been set out in the introduction to this manual, but the detailed requirements around the roles need to be thoroughly understood.
Data controllers
The data controller is the party responsible for ensuring that personal data is processed in accordance with the Regulation. Article 4 of the GDPR provides the standard definition for a controller:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.11
The controller is the entity that determines the purposes of processing activities. This includes determining which data will be collected, who to collect data from, whether there is a justification for not notifying the data subjects or seeking their consent, how long to retain the data, and so on.
It is also the data controller’s duty to ensure that any third-party processors abide by the rules, in accordance with the Regulation’s statement that:
the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.12
The controller will usually be the ‘public-facing’ entities to which data subjects supply their information. For instance, a hospital might have an online form for entering health information; even if the online form is provided by a third party, the hospital (which determines what the data is processed for) will be the data controller. If the form is managed by a third party that has some autonomy over the design of the form and the categories of data that it collects, then that third party could become a joint controller.
It is the controller’s duty to protect personal data by implementing “appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the GDPR]”.13 These measures might also be called ‘controls’, and should be applied in response to calculated risks, be documented clearly, and be monitored and checked for effectiveness (see chapter 11 for more information).
Implementing appropriate controls is a part of the data controller’s commitment to establishing data protection by design and by default. Establishing the most secure ways of processing the personal data must be done “both at the time of the determination of the means for processing and at the time of the processing itself”.14
Data protection impact assessments (DPIAs) are a key part of data protection by design and by default (see chapter 10). Responsibility for this falls to the data controller, and should not be foisted onto a data processor. However, the controller should consult the processors that may be affected in order to ensure that the DPIA is thorough, that the resulting plans can be implemented, and that the measures are and continue to be effective.
Joint controllers
It is possible for two or more controllers to jointly determine the purposes and means of processing. If your organisation needs to establish itself as a joint controller in partnership with another organisation, you will need to ensure that the “respective responsibilities for compliance with the [Regulation]” are established before performing any processing or collection of personal data.
Data processors
Data processors are those bodies contracted by the controller to perform some function on the personal data. The Regulation’s definition of a processor is as follows:
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.15
The processes must fall within the parameters provided by the data controller in accordance with the Regulation. Contracts between controllers and processors have a number of specific requirements, which are listed in Article 28, and the specific terms used in these contracts may, at some point, be dictated by either the Commission or your supervisory authority.
The controller does not have to define every single element of how the data is processed, and can rely on the processor’s “sufficient guarantees” that processing will be done securely.16 As such, the processor might still be responsible for determining some of the following elements:
•The IT systems or other methods used to collect personal data.
•How the data is stored.
•The security surrounding the personal data.
•How the personal data is transferred from one organisation to another.
•How personal data about a specific individual is retrieved.
•Methods for ensuring a retention schedule is adhered to.
•How data is deleted or disposed of.
Processors may be free to design all of these for a number of reasons. For instance, if an organisation contracts a marketing agency to do some research, the organisation might determine the purpose of the personal data processing (e.g. to establish a measure of the organisation’s reputation) but defer to the marketing agency’s expertise on how best to achieve this end. The marketing agency must manage the personal data securely and in accordance with the GDPR. In this instance, it is likely that the marketing agency will be a joint controller.
Processors are restricted from engaging another processor “without prior specific or general written authorisation of the controller”.17 This ensures that the controller mainta...